Closed Bug 1205479 Opened 9 years ago Closed 9 years ago

Todoist extension is sending all the sites a user visits to a webapp hosted on an insecure server

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: mossop, Assigned: jorgev)

Details

(Whiteboard: [qa-]) 

I'm not sure if this should be a blocklisting thing, or a case where we get them to update their code. At the very least seems like they should be required to have a privacy policy.

I was looking in my browser console and discovered a startling number of unsafe CPOW warnings coming from Todoist even when not interacting with Firefox in any way. Looking at the code I found this gem:

setInterval(function() {
  var frame_href = XULTodoistFirefox.TODOIST_ELM.contentDocument.location.href;

  if(frame_href.indexOf('/app') != -1) {
    if(XULTodoistFirefox.last_location != content.location.href) {
      var data_to_send = {};
      data_to_send['href'] = content.location.href;
      data_to_send['title'] = content.document.title;
      data_to_send['type'] = 'T_FIREFOX_MESSAGE';

      var data_to_string = JSON.stringify(data_to_send);
      XULTodoistFirefox.TODOIST_ELM.contentDocument.defaultView.postMessage(data_to_string, '*');
      XULTodoistFirefox.last_location = content.location.href;
    }
  }
}, 300);

For context Todoist opens a sidebar showing a slim version of their webapp. Once opened this interval starts and every 30ms it grabs the url and title of the current opened tab and if it differs from the last uses postMessage to send it to the webapp. Also the webapp is hosted on an insecure webserver. Also it does this even if the sidebar is closed.

Marking as security sensitive for now since this allows a MITM attack to get any Todoist user's browsing data.
I should add that there doesn't seem to be any good reason why they would need to see every url the user visits. The sidebar has an option to create a task from a website which would need the url but that could be requested when needed.
Thanks. I sent a message to the developer via AMO, giving them some time to fix the add-on. If they don't comply within two weeks, the add-on will be blocked. If the add-on is updated to a safe version, we will block the old versions once most users have updated.
Assignee: nobody → jorge
Blocked: https://addons.mozilla.org/en-US/firefox/blocked/i1030
Group: addons-security
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Whiteboard: [qa-]
Target Milestone: --- → 44.2
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.